​$1m grabbed for iOS 9.1 bug that will be kept from Apple

Zero-day broker Zerodium claims to have awarded $1 million to an unnamed hacking team that found a remotely exploitable bug in iOS 9.1 that it almost certainly will not share with Apple.

The firm, which buys software exploits from hackers and sells them to governments for “tailored cybersecurity capabilities”, announced on Monday that the bounty went to one team that had submitted a remote browser-based jailbreak effective against iOS 9.1 and iOS 9.2 beta.

“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!,” Zerodium said on Twitter.

Chaouki Bekrar, founder and CEO of Zerodium, noted that the bounty wouldn’t this time make a single person a millionaire.

“It's a team so they will share the million...after paying taxes to their Gov who will use that money to buy useful things :-)),” he wrote in response to a comment on Twitter about the bounty.

Zerodium hasn’t revealed the name of the team who won the bounty or its members.

Had the bug not been remotely exploitable it wouldn’t have qualified. An example was the Pangu Team jailbreak for iOS 9.1 that Apple patched in October, which required an iOS device be tethered to a PC for a successful jailbreak. Besides that, the Pangu jailbreak — itself an exploit for iOS 9 — was in the public domain already.

One reason Zerodium isn’t interested in publicly known exploits is the vendor has a chance to neutralise the attack. Apple patched the bugs in the Pangu jailbreak a week after it was published. The jailbreak offered users iOS prior to iOS 9.1 a way to install an alternative app store, but the same jailbreak could in different circumstances be used by a remote attacker to gain control of the device.

Zerodium announced its “Million Dollar iOS 9 Bug Bounty” in September, offering up to $3 million for qualifying jailbreaks that it valued at $1 million a piece, so long the bug was sold exclusively to it.

The company said it offered a high price because it considered iOS “the most secure” mobile OS, which “has currently the highest cost and complexity of vulnerability exploitation”.

Another reason that justifies the high price is because of the profile of Zerodium’s customers. The company likely plans on reselling the same exploit to intelligence agencies at multiple governments, Robert Graham, CEO of Errata Security noted when the bounty was launched.

“If they can sell it to four different countries for $300,000, they'll make a profit. On the other hand, some countries will pay more for exclusive access to a bug -- paying for the privilege of cyber-superiority,” he wrote.

He also doubted the exploit would be sold as a jailbreak, given the likelihood of it being reverse engineered by other hackers once released, which ultimately would reduce the value of the exploit as a tool for government agencies.

Zerodium phrases their bounty in terms of "jailbreaks", but I'm pretty sure the market for "intelligence 0days" is much greater. Actually using it for jailbreaks would mean it would quickly get reverse engineered, and even fixed by Apple, so I doubt they'd use it for that purpose.

The other reason for such a high price were the stringent conditions to qualify. For example, eligible exploits would need to bypass all Apple’s OS hardening methods. Also, the attack needed to support remote execution, so that it could be launched from a web page or text message. Technically remote attacks that still require proximity to a targeted device, for example, one that uses Bluetooth, were excluded.

Latest Videos

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.